cz32ts – evil twin of NV32ts?

There is an update to this post here.

In the past, we’ve seen various automated SQL Injection attempts bearing a User-Agent of NV32ts. It’s all a little odd, since:

  • The attempts are dead easy to spot, thanks to the user agent (there’s even a Snort rule for detecting it)
  • The attempts could be described as recon-only, since they didn’t seek to change anything.

Two injection attempts would be made by the attacker. The injected SQL would look like this:

%20And%20char(124)%2b(Select%20Cast(Count(1)%20as
%20varchar(8000))%2Bchar(124)%20From%20[sysobjects]
%20Where%201=1)>0

And this:

‘%20And%20char(124)%2b(Select%20Cast(Count(1)%20as
%20varchar(8000))%2Bchar(124)%20From%20[sysobjects]
%20Where%201=1)>0%20and%20”=’

These two cover the cases for vulnerable non-string and string parameters, and each case would be attached to the end of  the URL under test, after the last parameter. We’d usually see a spate of attempts in a short space of time from different source IP addresses, possibly suggesting that some botnet or other is doing all the work (possibly even Conficker).

Yesterday, we saw another run of attempts with the same pattern. A handful of source IP addresses targetted the same victim websites, each trying the same URL twice, appending the same two SQL statements as above. The only difference is the user agent – what was NV32ts has become cz32ts.

It’s still something of a mystery, though. Why use such a distinctive user agent? Why change it? What are the baddies looking for? If they’re going to go to the bother of scanning for sites vulnerable to SQL injection, why don’t they just try to inject something? Why conduct all this recon, when it would be difficult to reliably detect if you’re actually talking to a vulnerable site? Are the botmasters selling lists of potentially vulnerable sites rather than exploiting them themselves?

Any ideas?


Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters(at)dataline.co.uk

About these ads

2 Responses to “cz32ts – evil twin of NV32ts?”

  1. Thanks for the comment on my blog. Interesting. I’m gonna have to start looking for this one now. Great analysis!

  2. I wish they would develop a bit of intelligent into these automated attack scripts, I 404 them, but the still keep hitting my server every day.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 32 other followers

%d bloggers like this: